Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
EL BROMANCE
Jun 10, 2006

COWABUNGA DUDES!



I worked at a place about 15 years ago where, in a 7 man office, the IT guy disabled all the USB ports on every machine behind a password protected BIOS. Like most IT people, he was a crazy and deranged individual who should have been fired for an absolute multitude of reasons, but I can't argue with him being ahead of the times on that one.

Adbot
ADBOT LOVES YOU

GreyjoyBastard
Mar 28, 2010


bitcoin bastard posted:

This is (probably) how Stuxnet became a thing. $20 in lovely USB drives is a pretty low buy in if someone uses one to jump the air gap at a reasonably important target.

Efb but this is why superglue in the USB port is a thing.

I was under the impression that Stuxnet was more about "saturate the Iranian internet and wait for someone to gently caress up". Still, even putting your own private USB sticks in your secure work computer is not the best plan.

Thanatosian
Apr 16, 2013

Angrier, Bitterer Man


Grimey Drawer

https://en.m.wikipedia.org/wiki/2008_cyberattack_on_United_States

ToxicSlurpee
Nov 5, 2003

-=SEND HELP=-




Pillbug

Ytlaya posted:

Wouldn't this be a really inefficient way of scamming people, since each "attempt" costs you the money necessary to buy the USB stick.

I guess it has the benefit over e-mail that if someone does pick it up they're likely to use it, so putting it on a sidewalk or something is effectively the same as e-mailing it to everyone who walks by, though there's also the chance that someone might kick it into the street/grass or something and ruin any chances of it succeeding.

You can get old, outdated sticks pretty cheap if you know where to look. People lose the drat things all the time so you could probably get a lot of them just watching, say, a library for a while. Realistically you also probably only need a few to get one positive; then as long as the virus can propagate from there that's all you need. A quick search on Amazon indicates that you can snag 100 16 GB thumb drives for $360. I'm going to guess you could get a few hits by just loading something nefarious on them and leaving them in parking lots.

That's why, despite all the advances in security, it really only takes one person doing something stupid to compromise entire systems with millions of records of customer data.

ToxicSlurpee fucked around with this message at 20:41 on Sep 25, 2016

Xlorp
Jan 23, 2008




If you found an unfamiliar USB drive in your pocket or handbag, would you just throw it away?

People are the derpiest link in any security scheme.

Snow Cone Capone
Jul 30, 2003




There was a Nine Inch Nails album release ARG that involved USB drives being left in places like concert hall bathrooms and such. So for a lot of people the answer to "if you found an unfamiliar USB drive in a grungy bathroom would you plug it into your computer" is "absolutely!"

It's like a scheme you'd see on an episode of Mr. Robot or something.

Police blotters in my town and the ones nearby are full of people who got scammed in various ways through the phone or web. Some of the incident reports detail some pretty solid social engineering on the parts of the scammers, but a lot of times it's pretty basic stuff, so I have no doubt in my mind that most people around here would plug a USB drive into either their work or home computers without a second thought.

Honestly, I'd love to see experiments done where people leave USB drives in various locations that contain a harmless trojan or whatever that would simply report back that it was activated and then do nothing else - it'd be cool to get actual real-world results as to how many people will just plug whatever drive in whatever computer.

EL BROMANCE
Jun 10, 2006

COWABUNGA DUDES!



Mr Robot did indeed use a very similar scheme (a rap CD a character was tricked into buying). The show is pretty good at using real life techniques that have a good hit rate.

sleppy
Dec 25, 2008



The hacker girl literally just tossed some USB's into their parking lot to get into the police system as well iirc. Like someone mentioned, something like that is often the only realistic way into a system, and I'm sure there are plenty of real life cops who are stupid enough to do it.

EL BROMANCE
Jun 10, 2006

COWABUNGA DUDES!



Ah yes, I forgot about that one. Such a good show.

Remulak
Jun 8, 2001

The four most over-rated things in life are champagne, lobster, anal sex and picnics. Oh, and that stupid children's book 'The Little Prince,' ugh.
:krad:


Yams Fan

Better late than whatever:

ToxicSlurpee
Nov 5, 2003

-=SEND HELP=-




Pillbug

drunk asian neighbor posted:

There was a Nine Inch Nails album release ARG that involved USB drives being left in places like concert hall bathrooms and such. So for a lot of people the answer to "if you found an unfamiliar USB drive in a grungy bathroom would you plug it into your computer" is "absolutely!"

It's like a scheme you'd see on an episode of Mr. Robot or something.

Police blotters in my town and the ones nearby are full of people who got scammed in various ways through the phone or web. Some of the incident reports detail some pretty solid social engineering on the parts of the scammers, but a lot of times it's pretty basic stuff, so I have no doubt in my mind that most people around here would plug a USB drive into either their work or home computers without a second thought.

Honestly, I'd love to see experiments done where people leave USB drives in various locations that contain a harmless trojan or whatever that would simply report back that it was activated and then do nothing else - it'd be cool to get actual real-world results as to how many people will just plug whatever drive in whatever computer.

The biggest motivators are curiosity and voyeurism. The first comes from the fact that humans are just naturally curious; we see a box we want to know what's in it. We explore. It's what we do. Of course an unknown USB drive might have something cool on it. Maybe it was dropped by a musician and unreleased stuff is on it. Maybe it has financial records you can use to get 15 minutes on the news by exposing. Wow!

In other cases it's the voyeurism; it's possible that it has homegrown porn on it or naked celebrity pictures. Maybe it's something hot as hell that you can show off to your friends or get known as the person that leaked naked photos of some celebrity or another who won't get naked in front of a camera. Think of the possibilities!!! You're drat right I'm plugging that fucker right in!

GreyjoyBastard
Mar 28, 2010


I mean, poo poo, I'd plug it in, just to an old burner computer. :v:

504
Feb 2, 2016

by R. Guyovich


GreyjoyBastard posted:

I mean, poo poo, I'd plug it in, just to an old burner computer. :v:

Yeah, but then you have to wait.. and you want to know RIGHT NOW, and works got heaps of computers, nothing will happen.

bongwizzard
May 19, 2005

Then one day I meet a man,
He came to me and said,
"Hard work good and hard work fine,
but first take care of head"

Grimey Drawer

I would be very hard pressed to not plug a found USB into something. Way too curious/nosey.

Lutha Mahtin
Oct 10, 2010

Your brokebrain sin is absolved...go and shitpost no more!


i still have an old promo usb key i found in a college computer lab :v:

HOT! New Memes
May 31, 2006






I'd plug it into my tv to see what files are on it first

Corsair Pool Boy
Dec 17, 2004

by Cyrano4747


College Slice

Taste the Rainbugh posted:

I'd plug it into my tv to see what files are on it first

Theoretically, this could allow your TV to participate in DDoS attacks like the one that took down Krebs, yes? I mean, super unlikely, but it *could* happen.

Remulak
Jun 8, 2001

The four most over-rated things in life are champagne, lobster, anal sex and picnics. Oh, and that stupid children's book 'The Little Prince,' ugh.
:krad:


Yams Fan

We have stacks of USB drives that we use with embedded systems. I can't even imagine what would happen if some nefarious person just left a bad one sitting in the stack someplace.

At least the lab is restricted access, I guess.

Lutha Mahtin
Oct 10, 2010

Your brokebrain sin is absolved...go and shitpost no more!


MANime in the sheets posted:

Theoretically, this could allow your TV to participate in DDoS attacks like the one that took down Krebs, yes? I mean, super unlikely, but it *could* happen.

This is already happening. Your grandma is never going to update the firmware on the "smart" lightbulbs and digital picture frame that your little cousin set up for her. Many of these devices will never receive proper security patches from the manufacturer, or the company will go out of business. And bugs will be found, because bugs are always found. It is a disaster just waiting to happen, and I have not heard of any industry or regulatory initiatives to try and prevent it from happening.

stringball
Mar 17, 2009



bongwizzard posted:

I would be very hard pressed to not plug a found USB into something. Way too curious/nosey.

some guy posted that he found like 20 gigs of bbw porn, he went back the next day and put it back where it was

feedmegin
Jul 30, 2008




MANime in the sheets posted:

Theoretically, this could allow your TV to participate in DDoS attacks like the one that took down Krebs, yes? I mean, super unlikely, but it *could* happen.

Assuming your TV is connected to your network via ethernet or wifi, sure. And not that unlikely, no more so than targeting security cameras or whatever.

DizzyBum
Apr 16, 2007




USB sticks? Pshh, I found a Toshiba laptop hard drive in the street a couple years ago.

I really should see what's on it, if it's even working.

Zamboni Apocalypse
Dec 29, 2009


Sounds like a good reason to have a cheap junk laptop or tablet that can communicate with a cheap USB hub. Leave the laptop non-networked, maybe even just use a USB boot stick and you can just slap a new boot image on if when something bad happens. USBkiller toys might only kill the hub, even.

Or, you could just resist sticking strange dongles in your open ports, I dunno. :quagmire:

Comedy option: don't some stores (Apple, unless the Winter Soldier movie lied to me) still have open computers to play with?

sleppy
Dec 25, 2008



When poo poo like this exists, that becomes a legitimate liability. It may not blow up your computer like some claim, but Apple won't be happy when you go into their store and ruin one of their computer's USB ports.

feedmegin
Jul 30, 2008




sleppy posted:

When poo poo like this exists, that becomes a legitimate liability. It may not blow up your computer like some claim, but Apple won't be happy when you go into their store and ruin one of their computer's USB ports.

Probably all of them, it'd burn out the controller.

Cyrano4747
Sep 25, 2006

Behind every great engineer is someone just hoping the "genius" doesn't bankrupt everyone.



Zamboni Apocalypse posted:

Sounds like a good reason to have a cheap junk laptop or tablet that can communicate with a cheap USB hub. Leave the laptop non-networked, maybe even just use a USB boot stick and you can just slap a new boot image on if when something bad happens. USBkiller toys might only kill the hub, even.

Or, you could just resist sticking strange dongles in your open ports, I dunno. :quagmire:

Comedy option: don't some stores (Apple, unless the Winter Soldier movie lied to me) still have open computers to play with?

Just go to the library, either publlic or university. All the ones I've been to have available computers with working USB ports. I flat out assume those need to be reimaged monthly due to their user bases so it's not even that dick a move.

Jeb Bush 2012
Apr 4, 2007

A mathematician, like a painter or poet, is a maker of patterns. If his patterns are more permanent than theirs, it is because they are made with ideas.

Cyrano4747 posted:

Just go to the library, either publlic or university. All the ones I've been to have available computers with working USB ports. I flat out assume those need to be reimaged monthly due to their user bases so it's not even that dick a move.

As mentioned above, it's definitely a dick move. Even if you rule out a computer-smashing USB drive, just installing a keylogger on a public computer is pretty dangerous

sleppy
Dec 25, 2008



That really just saves the hacker the trouble of going out and putting it on that public computer themselves. You should assume every public computer is insecure since who knows what other people put on it knowingly or not. In our labs on campus the computers are fresh each time they boot, so I usually restart one if I'm putting in any somewhat important passwords.

Cyrano4747
Sep 25, 2006

Behind every great engineer is someone just hoping the "genius" doesn't bankrupt everyone.



sleppy posted:

That really just saves the hacker the trouble of going out and putting it on that public computer themselves. You should assume every public computer is insecure since who knows what other people put on it knowingly or not. In our labs on campus the computers are fresh each time they boot, so I usually restart one if I'm putting in any somewhat important passwords.

Yeah, that's what I was assuming was SOP. The public library near me is that way, and all the Unis I've had personal experience with have been as well

edit: Either way, sticking the sketchy parking lot thumb drive in the library computer to see if there's hot blackmail homegrown of your boss is probably better than putting it in your work machine.

Especially if you work at an Iranian nuclear plant.

Cyrano4747 fucked around with this message at 21:37 on Sep 28, 2016

cumshitter
Sep 27, 2005

cumshitter.com for all your pool supplies and finance needs


RE: dropping USB drives, I've heard dropping blank CD's with poo poo like "August Payroll" written on them is also effective, since some random employee will definitely want to know how their pay stacks up against their coworker's.

Jeb Bush 2012
Apr 4, 2007

A mathematician, like a painter or poet, is a maker of patterns. If his patterns are more permanent than theirs, it is because they are made with ideas.

sleppy posted:

That really just saves the hacker the trouble of going out and putting it on that public computer themselves. You should assume every public computer is insecure since who knows what other people put on it knowingly or not. In our labs on campus the computers are fresh each time they boot, so I usually restart one if I'm putting in any somewhat important passwords.

You should, but I'm not particularly confident that any given library computer will be handled properly, let alone that its users will be careful. (and, as mentioned, you could also just wreck the computer if someone's being a dick)

GreyjoyBastard
Mar 28, 2010


Cyrano4747 posted:

Just go to the library, either publlic or university. All the ones I've been to have available computers with working USB ports. I flat out assume those need to be reimaged monthly due to their user bases so it's not even that dick a move.

I worked in front line IT for a university for years. Monthly is almost optimistic.

And that's with a system that tries reasonably hard to quarantine user action. (As per sleppy. There were ways around it because our contractors were morons and/or presented with unrealistic and mutually contradictory demands)

GreyjoyBastard fucked around with this message at 22:19 on Sep 28, 2016

The Lone Badger
Sep 24, 2007



sleppy posted:

That really just saves the hacker the trouble of going out and putting it on that public computer themselves. You should assume every public computer is insecure since who knows what other people put on it knowingly or not. In our labs on campus the computers are fresh each time they boot, so I usually restart one if I'm putting in any somewhat important passwords.

Hardware keyloggers exist.

Through The Decade
Mar 3, 2010

BANANA?!?!?



bongwizzard posted:

I do event production and did a national meeting for some MLM group a few months ago.


Same, mine was a few years ago. Interesting to learn that there really are a few people near the top of these pyramids who somehow conned entire towns worth of people for their bonuses. Some of these people were making 100 grand a year just by signing up two friends who signed up ten who signed up fifty who signed up a thousand.

A friend of a friend I have on Facebook posted a while ago that he got caught by one of those schemes where some random lady friends you and then convinces you to get naked on your webcam and then she ransoms the recording, threatens to send it to your friends and your boss and so on. My first thought was about how idiotic you would have to be to fall for that, especially as he's in his early 20s and is supposed to be the web-savvy and question-everything generation. Then a bunch of other goobers his age chimed in to say how they were caught by the same thing at some point or another. I guess posting about it defeats the ransom component because now everyone knows you did it anyway.

monster on a stick
Apr 29, 2013


GreyjoyBastard posted:

I worked in front line IT for a university for years. Monthly is almost optimistic.

And that's with a system that tries reasonably hard to quarantine user action. (As per sleppy. There were ways around it because our contractors were morons and/or presented with unrealistic and mutually contradictory demands)

It seems you could just give a user a fresh VM with Windows/a web browser/whatever when they logged in assuming it's a lab or library or something.

DaRealAce
Dec 27, 2004
Touch It.. No I dont want to... TOUCH IT!

Speaking about USB drives...

http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe

Lutha Mahtin
Oct 10, 2010

Your brokebrain sin is absolved...go and shitpost no more!


monster on a stick posted:

It seems you could just give a user a fresh VM with Windows/a web browser/whatever when they logged in assuming it's a lab or library or something.

some of the local libraries around here do this. whenever you log out from your patron login, it reboots the machine

TheDon01
Mar 8, 2009




Lutha Mahtin posted:

some of the local libraries around here do this. whenever you log out from your patron login, it reboots the machine

All my college public lab computers were reimaged everytime you logged out. There were big rear end signs on every monitor "DO NOT SAVE YOUR drat HOMEWORK ON THIS PC"

Professor Shark
May 22, 2012




I don't know if this was a scam or not, but someone claiming to be Sirius Radio phoned me the other day. They wanted to talk to a woman, I told them this wasn't her number. The lady paused, but then continued, telling me this lady-who-was-not-me owns a SUV and they wanted feedback from her on how she's enjoying Sirius. I explained again she had the wrong number, but then she continued on with some spiel... so I hung up.

Adbot
ADBOT LOVES YOU

Namarrgon
Dec 23, 2008

Congratulations on not getting fit in 2011!

Could just be a callcenter drone who is not allowed to disconnect the call for any reason.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply